Duo report reveals spike in workers on unsecured networks

ANN ARBOR — Duo Security, the Ann Arbor-based provider of cybersecurity products and services, has released its third annual Duo Trusted Access Report, a look at the security state of the employees, contractors, devices and applications that make up the IT environments of Duo’s more than 10,000 customers worldwide.

The report shows a rapid evolution of how and where employees work, and that it’s not clear that businesses are keeping up from a security standpoint.

Year-over-year, the average number of unique networks that employees, contractors and partners from enterprise-sized organizations and mid-market companies are accessing protected data from has spiked 24 percent and 17 percent, respectively.

Across Duo’s entire customer population, the average number of unique networks increased 10 percent in the same time frame. This means more work is being conducted from potentially unsecured Wi-Fi networks, which could include homes, airports, coffee shops, or other public spaces. These external, untrusted networks may introduce potential risks to corporate applications and data.

Duo also found that 43 percent of requests to access protected applications and data came from outside of the corporate office and network, meaning the way we work is changing. People are logging into applications, networks and systems wherever, and whenever as work hours start to flex to fit different lifestyles, time zones and travel. Employers need to figure out how to grant the flexibility their workforce demands while also ensuring data remains secure and accessible to only trusted devices. It’s clear that the traditional, firewall-based security perimeter is quickly becoming irrelevant.

Other key findings from the report include:

* Ransomware Attacks Accelerate Windows 10 Adoption: In 2017, after the worldwide WannaCry ransomware attack against unpatched Windows 7 and Windows Server 2008 systems, businesses accelerated their adoption of Microsoft’s latest operating system, Windows 10, in an effort to protect against future attacks. In the three months prior to the WannaCry outbreak, Windows 10 adoption remained steady at 17 percent. In the three months following the attack, adoption jumped to 29 percent, then dropped to nine percent in subsequent months. Three years after being introduced, Windows 10 is now running on nearly half of Microsoft devices used for business, jumping from 27 percent to 48 percent year-over-year. Consequently, devices running on Windows 7 decreased from 65 percent to 44 percent year-over-year. Industries slowest to adopt Windows 10 are healthcare, transportation and storage, and insurance, while the quickest are computer and electronics, wholesale and distribution, and nonprofit.

* Apple Chips Away at Microsoft’s Business Dominance: Apple continues to chip away at Microsoft’s majority business market share. Year-over-year, macOS users increased from 27 percent to 30 percent, while Windows users declined from 68 percent to 65 percent. Users of iPhones and iPads for work increased slightly from 10 percent to 12 percent year-over-year, signaling an increasingly mobile workforce, with more users accessing work applications remotely via mobile Apple devices. The increase in Apple users has had a positive effect on security overall. Apple users are typically more up to date than Android/Chrome OS users, which can be attributed to a fragmented Android ecosystem. Out-of-date devices accessing work applications and data can introduce risk if organizations lack visibility or control over all devices on the network – both managed (corporate-owned and controlled) and unmanaged (personal devices owned by employees or contractors).

* The Phishing Business is Booming: Phishing attacks have grown in number because they are one of the most cost-effective ways for attackers to gain access to critical information, and then profit by selling the data. The barrier to entry is also relatively low, as you don’t need to have coding skills to maliciously use a phishing tool. Analysis of 7,500 phishing simulation campaigns conducted in the past two years on more than 230,000 recipients found 43 percent of recipients opened the phishing email; 23 percent of recipients clicked the link, making them susceptible to having malware or ransomware installed on their devices; 12 percent of recipients entered their username or password; 62 percent of campaigns were successful in capturing at least one person’s username or password; 64 percent of campaigns identified at least one out-of-date device; and 15 percent had out-of-date operating systems, leaving them susceptible to malware infection. On average, from the beginning of a phishing campaign, it only takes 12 to 13 minutes before someone is successfully phished.

* Disappearing in a Flash: The Adobe Flash Player uninstall rate spiked from 24 percent of devices to 69 percent year-over-year. Of the devices that did have Flash installed, 52 percent were running an out-of-date version. According to Google, the percentage of daily Chrome users loading at least one page of Flash content per day has plummeted from 80 percent in 2014 to 4 percent in early 2018. Flash will cease to be shipped with Chrome by 2020, and Adobe will end-of-life it in that same year.

Duo Security has more than 10,000 customers globally, including Dresser-Rand, Etsy, Facebook, K-Swiss, Random House, Yelp, Zillow, Paramount Pictures, and more. Founded in Michigan, Duo has offices in Ann Arbor and Detroit, as well as growing hubs in Austin, Texas; San Mateo, Calif.; and London, UK. Visit duo.com to find out more.